Results 1 to 9 of 9

Thread: Will masq work?

  1. #1

    Will masq work?

    Okay, here is my iptables script.

    I am unable to test it from my only internal machine because of some configuration problems. Here is my iptables script on my desktop (192.168.1.4) I'm connected to the net through ppp0.

    Code:
    #!/bin/sh
    
    # Begin /etc/rc.d/init.d/firewall
    
    # Clearing any existing rules
    iptables -P INPUT ACCEPT
    iptables -F INPUT
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -t nat -F
    
    # Turn on IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # allow local-only connections
    iptables -A INPUT  -i lo -j ACCEPT
    # free output on any interface to any ip for any service (equal to -P ACCEPT)
    iptables -A OUTPUT -j ACCEPT
    
    # permit answers on already established connections
    # and permit new connections related to established ones (eg active-ftp)
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
    iptables -A FORWARD -j LOG
    
    # Masquerade the connection (-j MASQUERADE)
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    
    # Log everything else:  What's Windows' latest exploitable vulnerability?
    iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT  "
    iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT"
    
    # set a sane policy:    everything not accepted > /dev/null
    iptables -P INPUT    DROP
    iptables -P FORWARD  DROP
    iptables -P OUTPUT   DROP
    
    # Let irc work properly
    iptables -A INPUT -i ppp0 -p tcp --dport 113 -j ACCEPT
    
    # be verbose on dynamic ip-addresses     (not needed in case of static IP)
    echo 2 > /proc/sys/net/ipv4/ip_dynaddr
    
    # disable ExplicitCongestionNotification - too many routers are still ignorant
    echo 0 > /proc/sys/net/ipv4/tcp_ecn
    
    # End /etc/rc.d/init.d/firewall
    (All the correct modules are compiled into the kernel) Some of those lines may be wrapped over so forget them

    Now as far as I can work out, this should masq my connections alright. I'm sticking OpenBSD on another computer in the next couple of days and would like to use ports to install a few things over my network. Will this script do masq alright for me?

    Thanks!

  2. #2

    Re:Will masq work?

    As far as I can see, the script should work fine. If you want to do full connection tracking you should replace your default accept all OUTPUT and FORWARD rule with a stateful rule using -m state --state NEW, to match your ESTABLISHED and RELATED input rulesets. One thing though, the script does not masq (meaning NAT) your connetion. It does firewall your LAN though.

  3. #3

    Re:Will masq work?

    Hmm.. Okay. What do I need to add to it to get it to masq my connection?

  4. #4

    Re:Will masq work?

    need a iptables/firewalling PET ;D because i havent been able to learn/understand anything ive read for shit =P anyone have something that the newbiest of newbs could understand after reading?

  5. #5

    Re:Will masq work?

    To NAT your connection you need to add this line to your script.
    Code:
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    I would make it one of the top most rules.

    Also, if you don't plan on NATting this box, you will need to modify your FORWARD ruleset. Right now its allowing all out going packets from eth0 to ppp0, but it is not allowing any traffic back into the LAN (established, related). If you do NAT this connection, I don't think you will need to worry about forwarding from ppp0 to eth0 (WAN to LAN), since LAN bound packets will be destined for ppp0.

  6. #6

    Re:Will masq work?

    Here is my new (and clearer!) iptables script:

    Code:
    #!/bin/sh
    
    # Begin /etc/rc.d/init.d/firewall
    
    # Turn on IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # Enable dynamic address hacking
    echo 1 > /proc/sys/net/ipv4/ip_dynaddr
    
    # Clear any existing rules
    iptables -P INPUT ACCEPT
    iptables -F INPUT
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -t nat -F
    
    # Masquerade the connection
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    
    # free output on any interface to any ip for any service (equal to -P ACCEPT)
    iptables -A OUTPUT -j ACCEPT
    
    # Allow all connections out - established ones in
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    iptables -A FORWARD -j LOG
    
    
    
    # Drop everything not accepted
    iptables -P INPUT    DROP
    iptables -P FORWARD  DROP
    iptables -P OUTPUT   DROP
    
    # Let irc work properly
    iptables -A INPUT -i ppp0 -p tcp --dport 113 -j ACCEPT
    
    # End /etc/rc.d/init.d/firewall
    Now, as far as I can work out, NAT should work right? Well for some reason its not. Might it be that I haven't set up my clients properly?

    [edit] Running traceroute tells me that the packets from my client is delivered to my gateway. So my theory is that either the packets are not being allowed back in, or they are not being sent by the gateway.

    Any ideas?

  7. #7

    Re:Will masq work?

    I now believe that my script is stopping the packets before they even get out onto the net. I've tried pinging ip addresses but kppp tells me that no bytes went out as I was trying to ping the ip address (The ip was google so I should have been getting a response)

    But what is stopping the packets from leaving my gateway?

  8. #8

    Re:Will masq work?

    I feel like I'm talking to myself here but here is my final script to actually works!

    Code:
    #!/bin/sh
    
    # Clear any existing rules
    iptables -P INPUT ACCEPT
    iptables -F INPUT
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -t nat -F
    
    # allow local-only connections
    iptables -A INPUT  -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # allow forwarding
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
    
    # do masquerading    (not needed if intranet is not using private ip-addresses)
    iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
    
    # Log everything for debugging (last of all rules, but before DROP/REJECT)
    iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
    iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
    iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
    
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -j ACCEPT
    
    # set a sane policy
    iptables -P INPUT   DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT  DROP
    
    # be verbose on dynamic ip-addresses (not needed in case of static IP)
    echo 2 > /proc/sys/net/ipv4/ip_dynaddr
    
    # disable ExplicitCongestionNotification
    echo 0 > /proc/sys/net/ipv4/tcp_ecn
    
    # activate TCPsyncookies
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    
    # activate Route-Verification = IP-Spoofing_protection
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
    done
    
    # activate IP-Forwarding 
    echo 1 > /proc/sys/net/ipv4/ip_forward
    I'm still not quite sure why it wouldn't work but I'll try to figure it out later on.

  9. #9

    Re:Will masq work?

    So the last script works right? If so, I would imagine that the problem was corrected by the NEW state in your forward rulesset. The other scripts did not allow for packets other than established and related to pass from one interface to the next. Since no NEW packets could be forwarded through your box, no connections could be established to begin with. Remember, packets with a new state are the first part of the tcp/i three-way handshake.

    Whenever I debug firewalls I log everything to the console and create different log prefixes for different rulessets so I can see at what point things are failing.

    One question though. When you flush the default policy at the beginning of your script, you still have
    Code:
    iptables -P FORWARD DROP
    iptables -F FORWARD
    Did you want this to be accept?

    Another good thing to do is have a freind nmap your external interface, in addition to trying to connect to internal servers or scan beyond your firewall, just to make sure for a fact your firewall is working.

    I once built a firewall, but screwed up my forwarding ruleset. Since my input ruleset was working correctly, nmapping the external interface showed that packets were being rejected. At this point I said "ok everything works fine." However, a week later, I was able to hit internal webservers from the extranet and only then did it dawn on my that I had misconfigured my forward ruleset and that my firewall was esentially a POS.

Similar Threads

  1. Transparent Airbase to wireless AP MASQ, need help!
    By Revelati in forum Linux - Hardware, Networking & Security
    Replies: 3
    Last Post: 11-12-2008, 05:06 PM
  2. Blocking Domains (or IPs) for Masq.'ed boxes via IPTABLES
    By malcoholio in forum Linux - Software, Applications & Programming
    Replies: 1
    Last Post: 04-11-2005, 06:58 PM
  3. cannot send email to SMTP server from Window2000 Outlook masq through SUSE Linux
    By malexg in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 07-27-2002, 03:43 AM
  4. trying to get the zip to work
    By S_D_Willie in forum Linux - Hardware, Networking & Security
    Replies: 9
    Last Post: 04-01-2002, 11:23 AM
  5. Why can I get no work?
    By CP in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 11-27-2001, 02:42 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •